CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
965 vulnerabilities reference this CWE, most recent first.
GHSA-Q4G4-GMVW-9FQC
Vulnerability from github – Published: 2025-03-06 18:31 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_tcm: Don't free command immediately
Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command.
{
"affected": [],
"aliases": [
"CVE-2024-58055"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T16:15:51Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_tcm: Don\u0027t free command immediately\n\nDon\u0027t prematurely free the command. Wait for the status completion of\nthe sense status. It can be freed then. Otherwise we will double-free\nthe command.",
"id": "GHSA-q4g4-gmvw-9fqc",
"modified": "2025-11-03T21:33:07Z",
"published": "2025-03-06T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58055"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/16907219ad6763f401700e1b57b2da4f3e07f047"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/38229c35a6d7875697dfb293356407330cfcd23e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7cb72dc08ed8da60fd6d1f6adf13bf0e6ee0f694"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/929b69810eec132b284ffd19047a85d961df9e4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bbb7f49839b57d66ccaf7b5752d9b63d3031dd0a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c225d006a31949d673e646d585d9569bc28feeb9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e6693595bd1b55af62d057a4136a89d5c2ddf0e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0c33e7d387ccbb6870e73a43c558fefede06614"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q4WQ-JHGH-JG2V
Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2023-12-08 18:30In multiple locations, there is a possible way to corrupt memory due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-40103"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T23:15:24Z",
"severity": "HIGH"
},
"details": "In multiple locations, there is a possible way to corrupt memory due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-q4wq-jhgh-jg2v",
"modified": "2023-12-08T18:30:41Z",
"published": "2023-12-05T00:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40103"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/58fa254a5d1aee2206de90d5396c01e177483e3a"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/c3bc12c484ef3bbca4cec19234437c45af5e584d"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/e4a821b10a1b020f18fc6fc316b13b90fa450bae"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q63V-R8X9-2C5R
Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: Detect events pointing to unexpected TREs
When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer.
For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed.
This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers.
This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained.
[mani: added stable tag and reworded commit message]
{
"affected": [],
"aliases": [
"CVE-2025-39790"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-11T17:15:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Detect events pointing to unexpected TREs\n\nWhen a remote device sends a completion event to the host, it contains a\npointer to the consumed TRE. The host uses this pointer to process all of\nthe TREs between it and the host\u0027s local copy of the ring\u0027s read pointer.\nThis works when processing completion for chained transactions, but can\nlead to nasty results if the device sends an event for a single-element\ntransaction with a read pointer that is multiple elements ahead of the\nhost\u0027s read pointer.\n\nFor instance, if the host accesses an event ring while the device is\nupdating it, the pointer inside of the event might still point to an old\nTRE. If the host uses the channel\u0027s xfer_cb() to directly free the buffer\npointed to by the TRE, the buffer will be double-freed.\n\nThis behavior was observed on an ep that used upstream EP stack without\n\u0027commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\nis written\")\u0027. Where the device updated the events ring pointer before\nupdating the event contents, so it left a window where the host was able to\naccess the stale data the event pointed to, before the device had the\nchance to update them. The usual pattern was that the host received an\nevent pointing to a TRE that is not immediately after the last processed\none, so it got treated as if it was a chained transaction, processing all\nof the TREs in between the two read pointers.\n\nThis commit aims to harden the host by ensuring transactions where the\nevent points to a TRE that isn\u0027t local_rp + 1 are chained.\n\n[mani: added stable tag and reworded commit message]",
"id": "GHSA-q63v-r8x9-2c5r",
"modified": "2026-05-12T15:31:08Z",
"published": "2025-09-11T18:35:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39790"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q6FW-PGC6-R84C
Vulnerability from github – Published: 2024-03-27 15:30 – Updated: 2024-11-04 21:30In the Linux kernel, the following vulnerability has been resolved:
net: pds_core: Fix possible double free in error handling path
When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), Callback function pdsc_auxbus_dev_release calls kfree(padev) to free memory. We shouldn't call kfree(padev) again in the error handling path.
Fix this by cleaning up the redundant kfree() and putting the error handling back to where the errors happened.
{
"affected": [],
"aliases": [
"CVE-2024-26652"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-27T14:15:10Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: pds_core: Fix possible double free in error handling path\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), Callback function pdsc_auxbus_dev_release\ncalls kfree(padev) to free memory. We shouldn\u0027t call kfree(padev)\nagain in the error handling path.\n\nFix this by cleaning up the redundant kfree() and putting\nthe error handling back to where the errors happened.",
"id": "GHSA-q6fw-pgc6-r84c",
"modified": "2024-11-04T21:30:26Z",
"published": "2024-03-27T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26652"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/995f802abff209514ac2ee03b96224237646cec3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba18deddd6d502da71fd6b6143c53042271b82bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffda0e962f270b3ec937660afd15b685263232d3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q6QF-3M2M-XQ4F
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-33824"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:34Z",
"severity": "CRITICAL"
},
"details": "Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-q6qf-3m2m-xq4f",
"modified": "2026-04-14T18:30:43Z",
"published": "2026-04-14T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33824"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7FC-6XM7-37M9
Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-07-08 15:31In the Linux kernel, the following vulnerability has been resolved:
mm/alloc_tag: clear codetag for pages allocated before page_ext initialization
Due to initialization ordering, page_ext is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before page_ext becomes available, leaving their codetag uninitialized.
A clear example is in init_section_page_ext(): alloc_page_ext() calls kmemleak_alloc(). If the slab cache has no free objects, it falls back to the buddy allocator to allocate memory. However, at this point page_ext is not yet fully initialized, so these newly allocated pages have no codetag set. These pages may later be reclaimed by KASAN, which causes the warning to trigger when they are freed because their codetag ref is still empty.
Use a global array to track pages allocated before page_ext is fully initialized. The array size is fixed at 8192 entries, and will emit a warning if this limit is exceeded. When page_ext initialization completes, set their codetag to empty to avoid warnings when they are freed later.
This warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and mem_profiling_compressed disabled:
[ 9.582133] ------------[ cut here ]------------ [ 9.582137] alloc_tag was not set [ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1 [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy) [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550 [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7 [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246 [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460 [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324 [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00 [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360 [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000 [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0 [ 9.582211] PKRU: 55555554 [ 9.582212] Call Trace: [ 9.582213] [ 9.582214] ? __pfxpgalloctag_sub+0x10/0x10 [ 9.582216] ? check_bytes_and_report+0x68/0x140 [ 9.582219] free_frozen_pages+0x2e4/0x1150 [ 9.582221] ? __free_slab+0xc2/0x2b0 [ 9.582224] qlist_free_all+0x4c/0xf0 [ 9.582227] kasan_quarantine_reduce+0x15d/0x180 [ 9.582229] __kasan_slab_alloc+0x69/0x90 [ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500 [ 9.582234] do_getname+0x96/0x310 [ 9.582237] do_readlinkat+0x91/0x2f0 [ 9.582239] ? __pfx_do_readlinkat+0x10/0x10 [ 9.582240] ? get_random_bytes_user+0x1df/0x2c0 [ 9.582244] __x64_sys_readlinkat+0x96/0x100 [ 9.582246] do_syscall_64+0xce/0x650 [ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0 [ 9.582252] ? __pfxx64sys_getrandom+0x10/0x10 [ 9.582254] ? do_syscall_64+0x114/0x650 [ 9.582255] ? ksys_read+0xfc/0x1d0 [ 9.582258] ? pfx_ksys_read+0x10/0x10 [ 9.582260] ? do_syscall_64+0x114/0x650 [ 9.582262] ? do_syscall_64+0x114/0x650 [ 9.582264] ? __pfx_fput_close_sync+0x10/0x10 [ 9.582266] ? file_close_fd_locked+0x178/0x2a0 [ 9.582268] ? __x64_sys_faccessat2+0x96/0x100 [ 9.582269] ? __x64_sys_close+0x7d/0xd0 [ 9.582271] ? do_syscall_64+0x114/0x650 [ 9.582273] ? do_syscall_64+0x114/0x650 [ 9.582275] ? clear_bhb_loop+0x50/0xa0 [ 9.582277] ? clear_bhb_l ---truncated---
{
"affected": [],
"aliases": [
"CVE-2026-46279"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T17:16:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/alloc_tag: clear codetag for pages allocated before page_ext initialization\n\nDue to initialization ordering, page_ext is allocated and initialized\nrelatively late during boot. Some pages have already been allocated and\nfreed before page_ext becomes available, leaving their codetag\nuninitialized.\n\nA clear example is in init_section_page_ext(): alloc_page_ext() calls\nkmemleak_alloc(). If the slab cache has no free objects, it falls back to\nthe buddy allocator to allocate memory. However, at this point page_ext\nis not yet fully initialized, so these newly allocated pages have no\ncodetag set. These pages may later be reclaimed by KASAN, which causes\nthe warning to trigger when they are freed because their codetag ref is\nstill empty.\n\nUse a global array to track pages allocated before page_ext is fully\ninitialized. The array size is fixed at 8192 entries, and will emit a\nwarning if this limit is exceeded. When page_ext initialization\ncompletes, set their codetag to empty to avoid warnings when they are\nfreed later.\n\nThis warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and\nmem_profiling_compressed disabled:\n\n[ 9.582133] ------------[ cut here ]------------\n[ 9.582137] alloc_tag was not set\n[ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1\n[ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy)\n[ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550\n[ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 \u003c67\u003e 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7\n[ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246\n[ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c\n[ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460\n[ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324\n[ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00\n[ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360\n[ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000\n[ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0\n[ 9.582211] PKRU: 55555554\n[ 9.582212] Call Trace:\n[ 9.582213] \u003cTASK\u003e\n[ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10\n[ 9.582216] ? check_bytes_and_report+0x68/0x140\n[ 9.582219] __free_frozen_pages+0x2e4/0x1150\n[ 9.582221] ? __free_slab+0xc2/0x2b0\n[ 9.582224] qlist_free_all+0x4c/0xf0\n[ 9.582227] kasan_quarantine_reduce+0x15d/0x180\n[ 9.582229] __kasan_slab_alloc+0x69/0x90\n[ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500\n[ 9.582234] do_getname+0x96/0x310\n[ 9.582237] do_readlinkat+0x91/0x2f0\n[ 9.582239] ? __pfx_do_readlinkat+0x10/0x10\n[ 9.582240] ? get_random_bytes_user+0x1df/0x2c0\n[ 9.582244] __x64_sys_readlinkat+0x96/0x100\n[ 9.582246] do_syscall_64+0xce/0x650\n[ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0\n[ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10\n[ 9.582254] ? do_syscall_64+0x114/0x650\n[ 9.582255] ? ksys_read+0xfc/0x1d0\n[ 9.582258] ? __pfx_ksys_read+0x10/0x10\n[ 9.582260] ? do_syscall_64+0x114/0x650\n[ 9.582262] ? do_syscall_64+0x114/0x650\n[ 9.582264] ? __pfx_fput_close_sync+0x10/0x10\n[ 9.582266] ? file_close_fd_locked+0x178/0x2a0\n[ 9.582268] ? __x64_sys_faccessat2+0x96/0x100\n[ 9.582269] ? __x64_sys_close+0x7d/0xd0\n[ 9.582271] ? do_syscall_64+0x114/0x650\n[ 9.582273] ? do_syscall_64+0x114/0x650\n[ 9.582275] ? clear_bhb_loop+0x50/0xa0\n[ 9.582277] ? clear_bhb_l\n---truncated---",
"id": "GHSA-q7fc-6xm7-37m9",
"modified": "2026-07-08T15:31:35Z",
"published": "2026-06-08T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46279"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b1842775a460245e97d36d3a67d0cfba7c4ff79"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b49dfabc38cad5e50af24f63edd124a10de3ebb6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5b495ba9de0423ef39f8bd86729a885870c7efe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8RR-8FCC-GC56
Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-17 15:30In the Linux kernel, the following vulnerability has been resolved:
octeon_ep: Fix host hang issue during device reboot
When the host loses heartbeat messages from the device, the driver calls the device-specific ndo_stop function, which frees the resources. If the driver is unloaded in this scenario, it calls ndo_stop again, attempting to free resources that have already been freed, leading to a host hang issue. To resolve this, dev_close should be called instead of the device-specific stop function.dev_close internally calls ndo_stop to stop the network interface and performs additional cleanup tasks. During the driver unload process, if the device is already down, ndo_stop is not called.
{
"affected": [],
"aliases": [
"CVE-2025-37933"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-20T16:15:29Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Fix host hang issue during device reboot\n\nWhen the host loses heartbeat messages from the device,\nthe driver calls the device-specific ndo_stop function,\nwhich frees the resources. If the driver is unloaded in\nthis scenario, it calls ndo_stop again, attempting to free\nresources that have already been freed, leading to a host\nhang issue. To resolve this, dev_close should be called\ninstead of the device-specific stop function.dev_close\ninternally calls ndo_stop to stop the network interface\nand performs additional cleanup tasks. During the driver\nunload process, if the device is already down, ndo_stop\nis not called.",
"id": "GHSA-q8rr-8fcc-gc56",
"modified": "2025-11-17T15:30:31Z",
"published": "2025-05-20T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37933"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34f42736b325287a7b2ce37e415838f539767bda"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d1052423518e7d0aece9af5e77bbc324face8f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e1ca1bed3f66e00377f7d2147be390144924276"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c8d788f800f83b94d9db8b3dacc1d26be38a6ef4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q92G-R34H-WRX3
Vulnerability from github – Published: 2025-03-28 06:30 – Updated: 2025-03-28 06:30A double free vulnerability has been identified in the ASUS System Analysis service. This vulnerability can be triggered by sending specially crafted local RPC requests, leading to the service crash and potentially memory manipulation in some rare circumstances. Refer to the 'Security Update for MyASUS' section on the ASUS Security Advisory for more information.
{
"affected": [],
"aliases": [
"CVE-2025-2027"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T06:15:33Z",
"severity": "MODERATE"
},
"details": "A double free vulnerability has been identified in the ASUS System Analysis service. This vulnerability can be triggered by sending specially crafted local RPC requests, leading to the service crash and potentially memory manipulation in some rare circumstances.\nRefer to the \u0027Security Update for MyASUS\u0027 section on the ASUS Security Advisory for more information.",
"id": "GHSA-q92g-r34h-wrx3",
"modified": "2025-03-28T06:30:27Z",
"published": "2025-03-28T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2027"
},
{
"type": "WEB",
"url": "https://www.asus.com/content/asus-product-security-advisory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q9CP-3QRM-W4V3
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-04-24 21:31In the Linux kernel, the following vulnerability has been resolved:
pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.
{
"affected": [],
"aliases": [
"CVE-2026-23387"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()\n\ndevm_add_action_or_reset() already invokes the action on failure,\nso the explicit put causes a double-put.",
"id": "GHSA-q9cp-3qrm-w4v3",
"modified": "2026-04-24T21:31:57Z",
"published": "2026-03-25T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23387"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/188ba3468cb7c098c62609d82e9fc58d29ead7f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e0465139fd9caee7ffefe285ef7d5f21919e474"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95b14ecc56881dd9a187e1e84dd0daa88ff22c5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea07fcfbba4301839db3784f09955d9fa3e98090"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd5bed798f45eb3a178ad527b43ab92705faaf8a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC4M-GC8R-MG8M
Vulnerability from github – Published: 2021-08-25 20:48 – Updated: 2021-08-19 20:56An issue was discovered in the alpm-rs crate through 2020-08-20 for Rust. StrcCtx performs improper memory deallocation.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "alpm-rs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35885"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T20:56:12Z",
"nvd_published_at": "2020-12-31T10:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the alpm-rs crate through 2020-08-20 for Rust. StrcCtx performs improper memory deallocation.",
"id": "GHSA-qc4m-gc8r-mg8m",
"modified": "2021-08-19T20:56:12Z",
"published": "2021-08-25T20:48:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35885"
},
{
"type": "WEB",
"url": "https://github.com/pigeonhands/rust-arch/issues/2"
},
{
"type": "PACKAGE",
"url": "https://github.com/BahNahNah/rust-arch/tree/master/alpm-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0032.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double free in alpm-rs"
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.